b'                           AUDIT OF SBA\'S [FOIA ex. 2] \n\n                         ELECTRONIC FORMS SYSTEM \n\n\n                          AUDIT REPORT NUMBER 5-25 \n\n\n                               SEPTEMBER 23, 2005 \n\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC\n1905 and must not be released to the public or another agency without permission of the\nOffice of Inspector General.\n\x0c                    U.S. SMALL BUSINESS ADMINISTRATION \n\n                        OFFICE OF INSPECTOR GENERAL \n\n                           WASHINGTON, D.C. 20416 \n\n\n\n                                                               AUDIT REPORT\n                                                    Issue Date: September 23, 2005\n                                                    Number: 05-25\n\n\nTo:            Delorice P. Ford\n               Chief Privacy Officer\n\n               Charles McClam\n               A~ting Chief Information Officer\n\n               [FOIA ex. 6]\nFrom:          Robert G. Seabrooks\n               Assistant Inspector General for Audit\n\nSubject:       Audit of SBA\'s [FOIAex. 2] Electronic Forms System\n\n        We have completed an audit ofSBA\'s [FOIAex. 2] electronic forms system. The\naudit identified one fmding and two recommendations. The audit results are presented\nbelow.\n\n                                     BACKGROUND\n\n        SBA\'s [FOIA ex. 2] electronic forms system was implemented in 1997 to automate\nAgency workflow and is currently in use. [FOIA ex. 2] provides SBA employees with an\nelectronic alternative to paper forms by means of database technology. This technology\nallows users to access, fill and save electronic forms to a specified location, either public\nor private. [FOIA ex. 2] is no longer supported by its vendor, [FOIA ex. 2]\nand no new official government forms are being converted to [FOIA ex. 2]\n\n                   OBJECTIVES, SCOPE AND METHODOLOGY\n\n       The objective of this audit was to determine whether SBA\'s [FOIAex. 2] electronic\nforms system allows for the inappropriate disclosure of personally identifiable\ninformation. [FOIA ex. 2]\n\n\n\n      To accomplish these objectives we reviewed applicable laws and regulations,\nconducted interviews with SBA management responsible for the administration of\n\x0c [FOIAex. 2]and tested for disclosure at both SBA Headquarters and Field Office locations.\nWe also interviewed SBA\' s Privacy Officer to establish a legal perspective on the\ndisclosure of private information on SBA employees through [FOIA ex. 2] Fieldwork was\nperformed at SBA\'s Central Office in Washington, DC, National Guaranty Purchase\nCenter in Herndon, VA and SBA Offices in Glendale, CA, Forth Worth, TX and Atlanta,\nGA, from March through August 2005. Our audit was conducted in accordance with\nGenerally Accepted Government Auditing Standards.\n\n                                   AUDIT RESULTS\n\n       We determined that SBA\'s [FOIA ex. 2] electronic forms system was susceptible to\nunauthorized disclosure of personal or Privacy Act information. This information\nincluded individual SBA employee\'s names, employee identifier or social security\nnumbers, addresses,phone numbers and dates of birth. The lack of controls to prevent\nunauthorized disclosure of these records is a violation of the Privacy Act.\n\nFinding 1: \t SBA\'s [FOIAex.2] System was not Secure Against Unauthorized\n             Disclosure\n\n       SBA\'s [FOIAex. 2] electronic forms system did not have adequate security controls\nto prevent against unauthorized disclosure of personal and Privacy Act information of\nAgency perSOilnel.\n\n\n                                      [FOIA ex. 2]\n\n\n\n\n        The Privacy Act of 1972 defines the term "record" to mean any item, collection,\nor grouping of information about an individual that is maintained by an agency,\nincluding, but not limited to, his education, financial transactions, medical history, and\ncriminal or employment history and that contains his name, or the identifying number,\nsymbol, or other identifying particular assigned to the individual, such as a finger or\nvoice print or a photograph. Additionally, the_Act i4entifi~~ th~tnoagellcy shaRdis~Jo~~\nany -record wruch isconiru.ned\xc2\xb7 in a system of records by any means of communication to\nany person, or to another agency, except pursuant to a written request by, or with the\nprior written consent of, the individual to whom the record pertains, unless disclosure of\nthe record would be to those officers and employees of the agency which maintains the\nrecord who have a need for the record in the performance of their duties.\n\n       We determined that the following SBA [FOIAex. 2] system electronic forms contain\ninformation maintained by the agency on SBA employees [FOIAex.2]\n\n\n\n\n                                             2\n\x0c           \xe2\x80\xa2   [FOIA ex. 2]\n           \xe2\x80\xa2   [FOIA ex. 2]\n           \xe2\x80\xa2   [FOIA ex. 2]\n           \xe2\x80\xa2   [FOIA ex. 2]\n\n\n        These forms were selected for audit testing to   [FOIA ex. 2]\n\n\n\n\n        Access to sensitive. data for each of the forms was tested at: (1) SBA Headquarters\nin Washington, DC, (2) Glendale, CA, (3) Fort Worth, TX, and (4) Herndon, VA. In all\nlocations tested, we were able to obtain personal or Privacy Act information on current or\npast SBA personnel via the [FOIAex. 2] System.     [FOIAex.2]\n\n\n\n\n        The Office of Chief Information Officer owns and operates SBA\' s [FOIA ex. 2]\nsystem and is responsible for ensuring that SBA employees are adequately trained to use\nthe system\n                                     [FOIA ex. 2]\n\n\n\n\nRecommendation:\n\nLA \t We recommend that the Acting Chief Information Officer implement a\n     replacement capability and fully discontinue the use of the [FOIA ex. 2] system.\n\nI.B \t   We recommend that the Chief Privacy Officer identify the [FOIA ex. 2] System as in\n        violation of the Privacy Act until the system is repaired or replaced.\n\nManagement Comments:\n\n        SBA did not provide formal management comments to this report, but met with us\n.on September !Land $ eptemher 21,.2005. SBA fully agreed with the draft report. The. __ _\n Chief Privacy Officer ideFltified that [FOIA ex. 2] would be identified as in violation of the\n Privacy Act in the current years\' report.\n                                      [FOIA ex. 2]\n\n                         SBA had converted [FOIA ex. 2]\nestimated full replacement of the [FOIAex. 2] System by December 31,2005. SBA plans to\nissue an Information Notice in the near future as part of their actions to close this issue.\n\n\n\n\n                                              3\n\x0cEvaluation of Management\'s Comments:\n\n           SBA\'s comments were responsive to the recommendations. We modified the\n initial recommendations from the draft report to reflect that SBA decided to replace the\n[FOIA ex. 2] system rather than repair it.\n\n\n\n                                                       *** \n\n       The findings included in this report are the conclusions of the Auditing Division\nbased upon the auditors\' review of the [FOIA ex. 2] electronic forms system. The findings\nand recommendations are subject to review and implementation of corrective action by\nyour office following the existing Agency procedures for audit follow-up and resolution.\n\n       This report may contain proprietary information subject to the provisions of 18\nUSC 1905. Do not release to the public or another agency without permission \xc2\xb7ofthe\nOffice of Inspector General\n\n       Should you or your staff have any questions, please contact Jeffrey R. Brindle,\nDirector, Infonnation Technology and Financial Management Group, at (202) 205- [FOIAex. 2]\n\n\nAttachments\n\n\n\n\n     ..   __.-   -_._._--_. __   .   __   ... -   ._--_.. - - - - - - \xc2\xad\n\n\n\n\n                                                          4\n\x0c'